DHCP server : Deny unknown clients - bypass

  • I have a few simple Pfsense 2.2.4 setups with
    single WAN,
    "INTERNAL LAN" and
    "GUEST LAN".
    Pfsense is the DHCP server for both the "INTERNAL LAN"  and the"GUEST LAN" with "Deny unknown clients" active on both LAN's.

    So setup:
    "INTERNAL LAN" : DHCP Static Mappings defined for all trusted "own" machines, Deny unknown clients selected - small DHCP range defined but should not be used.

    "GUEST LAN"        : DHCP Static Mappings defined for trusted "long term guest " machines,
    Deny unknown clients selected  - small DHCP range defined but should not be used..

    Now, what I was not expecting is, that a machine defined  on the "GUEST LAN" as static mapping CAN still connect to  the "INTERNAL LAN",  even gettting an IP address from the DHCP server on the "INTERNAL LAN" with no mapping defined there for than "INTERNAL LAN."

    It does not seems like a desired outcome to me. 
    Besides protecting with an MDM layer, are there other solutions.


  • LAYER 8 Global Moderator

    Defined clients for static mappings anywhere make them a known client.  If they move to a segment that has a dhcp scope even without a reservation then the would be able to get an IP from this scope.  If you don't want clients moving segments then you shouldn't have dhcp scopes available.  What is the point of these scopes if your setting reservations and setting deny unknown clients?

    Remove your scopes and this behavior goes away.  Even if a known client moves to a different segment there would be no addresses to give them.

    Since you created these scopes seems like its acting exactly how you would want it to act.  Known clients can move between segments and leverage the dhcp scope there because they are "known" to pfsense.  But if I brought my client over it wouldn't get an IP because its not known client in any of your scopes.

  • Thanks,

    It might be a language issue (mine) but the way  settings as interpreted do not feel "intuitive" to me.

    Funny thing is,
    when I tried to remove the only DCHP scope on the INTERNAL LAN interface,  pfsense does not let me.

    The "start" and "end" ip addresses are a requirement if you have DHCP on the interface.

  • You could issue the static addresses outside the DHCP-range.
    You could use [Services: DHCP server] (Enable Static ARP entries).

  • LAYER 8 Global Moderator

    static or reservations should always be outside the scope.  I will have to look if there is a requirement for scope if dhcp is on for static reservations.

    edit:  I see your point if I have dhcp enabled because I want use statics. And deny unknown you have to have a scope - even if only 1 ip.  This would make it possible for a known client from different interface to move over to that segment and get that IP.

    for this sort of setup there should be a way to not have a scope defined I guess.

Log in to reply